Footprints in the Snow: IOC Table

Indicators of compromise from the snowshoe phishing campaign documented in Footprints in the Snow. All IOCs from direct observation on the targeted mailbox and live page capture, compiled June 2, 2026.


#Sending Infrastructure

IOC Type Value Notes
IP range 104.243.247.0/24 vititude.com rDNS, AS9009 (M247)
IP range 102.135.108.0/24 grantrank.com rDNS, AS55154
IP range 93.92.72.0/24 usofcode.com rDNS, AS44793
Abuse email admin@pointtoserver.com Shared across ARIN + AFRINIC blocks
ARIN org Secure Internet LLC / "Internet Security - US OH" Parent: NetName PUREVPN
ARIN contact Uzair Gadit (GADIT3-ARIN) Phone: +1-217-651-4225
AFRINIC org "internet-secuirty" (sic) Country: SC (Seychelles)
RIPE org Amuser Telco / AlliumTech Country: IT, abuse: abuse@cloudvox.it

#Email Kit Signatures

IOC Type Value Notes
Forged header X-Spam-Score: -6 Injected by content stage; inconsistent with real score
Forged header families X-Milter-ID, X-Milter-Id, X-Amavis-Alert-Id, X-Scanner-Trace-Id, X-Scan-Chain-Id, X-Mailer-Trace, X-Mime-Parse-ID Disguised per-send trace tokens
MIME boundary families =forge.*, ==rail-*_<Codename>, ==node_<hex>-<rand>.MailPart-<n>, -arc=_TextBoundary-Spool Multiple boundary generators
Prompt scaffold === SECTION === structure with sections: Prompt brief/Assignment, Variation profile/Creative route, Freshness/Divergence rules, Creative hints/Prompt steering, Final output/Return rules Byte-identical boilerplate across leaked prompts
Hidden text spec "Inbox-placement hidden text (MANDATORY)" Bayesian poisoning; source of "I meant to reply sooner..." filler
CSS hiding list ~35 entries randomized per block: font-size:0, display:none, clip-path:inset(100%), position:absolute;left:-9999px, transform:scale(0), etc. Defeats single-pattern hidden-text detectors
CTA path vocabulary scope, vector, signal, wire, relay, junction, channel, anchor, pulse, feed, desk, brief, openlatest, followalong, roundupdesk Cross-domain kit fingerprint
Display-name typosquats WaImart (capital I for lowercase L) Brand impersonation
CTA token pattern Redeem Your 1OO.OO Card (letter O for zero) Content-filter dodge
Run seed format 32-hex string per generation Polymorphism seed

#Front Domains (Sample)

231 total unique domains across 248 sends. Full list available on request.

IOC Type Value Notes
TLD distribution .com (61), .bond (41), .lat (38), .garden (32), .living (30), .lol (11), .world (9), .blog (5), .homes (3), .org (1) 74% cheap new-gTLDs
Domain construction Two concatenated dictionary words on cheap TLDs DGA-flavored bulk registration
Unsubscribe subdomains ww0.-ww9. and random 3-char mixed-case (Aus., DTq., kQM.) Two families; ww[0-9]\. is distinctive

#TDS / Traffic Distribution

IOC Type Value Notes
TDS domain surveysreswards[.]com Typosquat of "surveys rewards"
TDS tracking domain insighthepanel[.]com (t2.insighthepanel[.]com in oho param) Operator's click-tracking panel
Registrar Internet Domain Service BS Corp (internet.bs) Same for both TDS domains
Privacy Whois Privacy Corp, Nassau, Bahamas Same for both
CF nameservers crystal/wesley.ns.cloudflare.com (surveysreswards), ryleigh/toby.ns.cloudflare.com (insighthepanel) Different CF accounts
CF analytics token 7092b83116ff4010907be780fcec704d In beacon on TDS source; ties all TDS traffic to one Cloudflare account
Affiliate tag utm_source=cts On ExpressVPN redirect for scanner traffic

#Scam Kit

IOC Type Value Notes
Kit root path /template-mb/ In base64-encoded baci params
Kit JS myscript_11.js Main script
Asset path survey_us_d/ On CloudFront
CloudFront dist d3e1y4kqljcb.cloudfront.net, d3e1y4kxkqljcb.cloudfront.net Kit asset CDN
Config object window.surveyConfig Contains target brand, questions JSON path, offers JSON path, timer
Brand target "target":"wlm" Walmart; configurable per brand
CPA pub ID c=|77328 Publisher ID in downstream CPA network
Campaign ID s=1938 Internal campaign tracking
Creative ID cr=opfxx3 Internal creative/variant code
Anti-indexing <meta name="robots" content="noindex, nofollow, noarchive"> Hides from search engines

#Cloaking Behavior

Visitor Profile Response
urlscan.io (scanner IP) 204 No Content or 302 to expressvpn.com/?utm_source=cts
View-source on live page ExpressVPN homepage HTML (legitimate site as shell)
Rendered DOM on live page Walmart survey scam kit (injected client-side via JS)
Real browser on mobile carrier IP Full scam page with survey, fake comments, CC harvesting form
← All Posts